Pressure grows to boost security of infusion pumps
Momentum is building toward finding a way to fix security vulnerabilities in wireless medical infusion pumps, which are widely used in the nation’s hospitals.
The National Institute of Standards and Technology (NIST) is mounting the charge, announcing in late January that it’s looking for technology companies to participate in a collaborative project to improve the security of wireless infusion pumps.
The work will be conducted by the National Cybersecurity Center of Excellence (NCCoE), with the end result serving as a solution framework to beef up the security of the pumps.
Concerns about the pumps’ vulnerability to hacking began to surface in the last couple years. The devices, formerly just standalone devices that regulated the flow of drugs into a patient’s bloodstream, have become sophisticated devices that can be programmed at the bedside, or remotely over a hospital’s network—they can either be connected to a network by cable or wirelessly.
Concerns grew last summer, when the Food and Drug Administration took the unprecedented step of alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities with the pump. The FDA strongly encouraged healthcare facilities to discontinue use of the pumps. Hospira has been acquired by Pfizer Inc., and the company no longer distributes the pumps deemed by the FDA to be insecure.
But security experts say vulnerabilities aren’t just limited to the Hospira devices; they contend that the very openness and simplicity with which the devices can connect to hospital networks leaves them open to hacking.
That’s not only a danger to hospital patients—hackers could easily change drip rates, leaving patients at risk for receiving unsafe doses of drugs. But the devices often hold network information, which can include passcodes that could give hackers wide reach into a hospital’s networks, and patient information.
And some worry that infusion pumps may just be the tip of the iceberg, as more medical devices are connected to hospital networks as part of the Internet of Things (IoT) movement. For example, two years ago a research project found 300 insecure medical devices, made by 40 different manufacturers, says Mac McMillan, CEO and founder of CynergisTek Inc., an information security firm. “These pumps, and most notably the latest vulnerability with certain Hospira pumps, have just gotten a lot of attention.”
One demonstration this past summer showed how easy it was to access an infusion pump, direct its operations for delivering drugs, and then access network information to compromise an organization’s network. Conducted by BlackBerry at a security summit in July 2015, the entire hack took fewer than five minutes. BlackBerry, which ran the demo at a security event, didn’t disclose the brand of device it hacked.
The demo “was provided as an example and not necessarily typical for all devices across the board,” says Graham Murphy, a security researcher for BlackBerry, which offers security services. “Once hackers make an initial connection to a pump, they could remotely access all devices connected to the same Wi-Fi network.
"What is really alarming is the fact that it does not take an overly advanced set of skills to conduct this level of hack."
“In general, the skill set of a malicious hacker will only dictate how quickly they can compromise a system,” he added. “A compromised infusion pump could be used to access other devices and pumps on the network. Other devices could include laptops or call systems.”
“What is really alarming is the fact that it does not take an overly advanced set of skills to conduct this level of hack,” adds David Kleidermacher, chief security officer for BlackBerry.
The wireless capabilities of the pumps make them an easy target for hackers, confirms Jeremy Richards, a researcher for SAINT Corp., who conducts reverse engineering security tests to identify methods of detecting vulnerable software and devices over a network. An expert in finding vulnerabilities with routers, he’s also worked on other IoT devices, including infusion pumps. They are easily breached, Richards says.
“The most serious of the vulnerabilities (remote unauthenticated root shell) in the pump was the fault of the vendor for not doing a security audit on the device before it was deployed,” he says of his experience hacking the now-discontinued version of the Hospira infusion pump that prompted the FDA notice. “Exploiting the bug is technical, but understanding the risk associated with it is not. Even an automated vulnerability scan would have identified some of the vulnerabilities.”
In the case of the now-discontinued Hospira pump, it stored the keys to the wireless network unencrypted on the device, Richards says. That’s how a hacker can access other devices, or the network itself, he adds. “An attacker can extract the keys by attaching a device to the Ethernet port (of the pump) or supplying an IP via DHCP and starting a telnet session with the device.”
Manufacturers are aware of the concerns and have been working toward reducing the risks, says Mike Nelson, vice president of DigiCert, a company that provides security and identity solutions. “I do think the issue is very real, and there is a real risk of introducing a ‘back door’ into a hospital network. All these vulnerabilities need to be addressed.”
Blame for the vulnerability of infusion pumps doesn’t lie solely with the manufacturers, believes Michael McNeil, global product security and services officer for Royal Philips, which manufactures medical devices, including infusion pumps. “We believe there are a number of constituents to this problem, from manufacturers to hospitals to regulators. It takes that entire village to address any potential issues that are out there,” he says.
CareFusion, another manufacturer of pumps, is ratcheting up testing of its devices, says Nivaldo Diaz, vice president and general manager of worldwide technology solutions for BD, which owns the CareFusion product line.
“Our multidisciplinary cybersecurity team closely monitors cybersecurity threats in the medical industry, as well as across other industries that could impact our company and our customers. We also work with third-party security researchers and experts to regularly test and validate the security of our products and internal systems,” Diaz says. “BD’s internal team and independent external IT security experts regularly perform testing to identify potential vulnerabilities of our infusion pumps.”
Network security at customers’ sites is an essential component of insulating infusion pumps from hacking, he believes. “However, we never assume that a hospital’s internal security protocols are enough to secure our devices. We approach cybersecurity with our devices so they are protected regardless of the network security that may or may not exist at the customer site.”
A variety of reasons exist behind the vulnerability of connected medical devices, including pumps, says Scott Erven, associate director of medical device and healthcare security for Protiviti, a global consulting firm that specializes in security issues. He believes that the devices can be made secure. “We can engineer security into them,” he adds.
That’s the goal of the NIST effort, to create a security structure that can protect the pumps—and the information systems to which they connect—from hacking, says Gavin O’Brien, a computer scientist from NCCoE, who is the lead author of a white paper that’s a final version of a use case on providing security for wireless medical infusion pumps.
"Hospitals must use their buying power to encourage manufacturers to develop secure devices."
The collaboration with vendors will help develop a framework to protect the devices, O’Brien says. The ultimate solution is an entire defense framework, not just the development of a hardened infusion pump—the devices still need to be able to deployed within a hospital network environment and accessible for network connections.
“An infusion pump sits inside a healthcare enterprise, which has networking, security capabilities (like firewalls and switches), network scanning capabilities and firewalls within the enterprise network that can further secure things,” he says. “When we go out to do our build, we will make our decisions about how we will set up a defense for wireless infusion pumps.”
Hospitals can influence the market in other ways, says Richards. “Hospitals must use their buying power to encourage manufacturers to develop secure devices. If hospitals don’t apply pressure, the manufacturers won’t spend the money.
“Manufacturers need to build security into the development lifecycle,” he says. “Many of these issues are on 10-year-old pumps that are still being used (in hospitals), and this is where the challenge lies. There was no thought put into supporting security updates for these devices after they are in the customers’ hands.”